k8s: Inject rbac.yaml into operator.yaml

This change combines the templates for rbac.yaml and operator.yaml with a few additional wrinkles: - split of the the rules that are specific to the operator.zuul-ci.org apiGroup to line up with the Helm chart and provide more explicit permissions - changed the role binding to bind to the zuul-operator role, not cluster-admin role. This was presumably an unintentional error. - added rule for batch/jobs which is used for the pxc-create-db job - made functional test use admin template By doing this, it will become easier to align the static templates with the Helm chart and to subsequently auto-generate them. Change-Id: I940280fc7134ce280a80584c7b652bdfe360cc8b
2022-12-01 11:24:04 -08:00 · 2022-12-01 11:24:04 -08:00 · 100808cb6d
parent 35adb6fe24
commit 100808cb6d
4 changed files with 148 additions and 127 deletions
--- a/deploy/operator.yaml
+++ b/deploy/operator.yaml
@ -1,3 +1,149 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: zuul-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: zuul-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  - ingresses
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resourceNames:
+  - zuul-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  - deployments
+  verbs:
+  - get
+- apiGroups:
+  - cert-manager.io
+  - pxc.percona.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.zuul-ci.org
+  resources:
+  - zuuls
+  - zuuls/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: zuul-operator
+subjects:
+- kind: ServiceAccount
+  name: zuul-operator
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: zuul-operator
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
--- a/deploy/rbac.yaml
+++ b/deploy/rbac.yaml
@ -1,124 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: zuul-operator
-
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: zuul-operator
-rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - services
-  - services/finalizers
-  - endpoints
-  - persistentvolumeclaims
-  - events
-  - configmaps
-  - secrets
-  - ingresses
-  - namespaces
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - daemonsets
-  - replicasets
-  - statefulsets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - apps
-  resourceNames:
-  - zuul-operator
-  resources:
-  - deployments/finalizers
-  verbs:
-  - update
- apiGroups:
-  - apps
-  resources:
-  - replicasets
-  - deployments
-  verbs:
-  - get
- apiGroups:
-  - operator.zuul-ci.org
-  - cert-manager.io
-  - pxc.percona.com
-  resources:
-  - '*'
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - servicemonitors
-  verbs:
-  - get
-  - create
-
---
-
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: zuul-operator
-subjects:
- kind: ServiceAccount
-  name: zuul-operator
-  namespace: default
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin #zuul-operator
-  apiGroup: rbac.authorization.k8s.io
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -113,7 +113,6 @@ privileges:
 .. code-block:: bash

   kubectl apply -f deploy/crds/zuul-ci_v1alpha1_zuul_crd.yaml
-   kubectl apply -f deploy/rbac.yaml
   kubectl apply -f deploy/operator.yaml

 After this point, usage is the same as other methods.
--- a/playbooks/zuul-operator-functional/install_templates.yaml
+++ b/playbooks/zuul-operator-functional/install_templates.yaml
@ -7,13 +7,13 @@
    zuul_work_dir: "{{ zuul.projects['opendev.org/zuul/zuul-operator'].src_dir }}"
  tasks:
    - name: Setup CRD
-      command: kubectl apply -f deploy/crds/zuul-ci_v1alpha2_zuul_crd.yaml -f deploy/rbac.yaml
+      command: kubectl apply -f deploy/crds/zuul-ci_v1alpha2_zuul_crd.yaml
      args:
        chdir: "{{ zuul_work_dir }}"

    - name: Install operator
      when: install_operator
-      command: kubectl apply -f deploy/operator.yaml
+      command: kubectl apply -f deploy/operator-cluster-admin.yaml
      args:
        chdir: "{{ zuul_work_dir }}"